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HONG KONG MONETARY AUTHORITY 
AY E Sz fa BE Jy 


Our Ref.: B1/15C 
B9/29C 


18 May 2021 


The Chief Executive 
All Authorized Institutions 


Dear Sir/Madam, 


Secure Tertiary Data Backup 


I am writing to request all authorized institutions (AIs) to critically assess the 
need for setting up a secure tertiary data backup (STDB) to counter the risk of 
destructive cyber attacks. 


Destructive malwares, including ransomwares, are of growing concern as they 
can potentially lead to permanent loss, corruption or unauthorised alteration 
of critical data in both production and backup environments. In light of recent 
international developments such as the US Sheltered Harbor initiative to 
address this type of cyber threats, the HKMA has invited the Hong Kong 
Association of Banks (HKAB) to develop guidelines on STDB that are 
appropriate for the banking landscape in Hong Kong. 


In response to the HKMA’s call, the HKAB formed a STDB Taskforce to 
oversee the development of the guidelines. After extensive consultation with 
member institutions, the HKAB issued the “Secure Tertiary Data Backup 
Guideline” on 30 April 2021. The STDB Guideline provides guidance to 
banks on the factors they need to take into account in deciding whether to set 
up an STDB and what implementation issues they need to overcome in 
ensuring the effectiveness of the STDB. The Guideline covers 8 high-level 
principles grouped under the headings of Governance, Design and Data 
Restoration. 


The HKMA considers STDB an effective measure to enhance cyber resilience 
and data security of Als in Hong Kong. It expects all Als to critically assess 
the need for implementing an STDB having regard to their risk exposure and 
taking into account the principles stipulated in the HKAB’s STDB Guideline. 
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All retail banks and foreign bank branches with significant operations in Hong 
Kong are expected to submit a report containing the result of their assessment 
to the HKMA by 30 November 2021. The HKMA will inform Als 
individually if they are required to submit the report and will provide them 
with details of what information needs to be covered by the report. For 
locally-incorporated Als, the assessment report should be endorsed by the 
board of directors. For foreign bank branches, the assessment should be 
conducted under the scrutiny of their head office or regional headquarters. 


Should you have any questions on the above, please contact Mr Peter Tai at 
2597 0876 or Mr Stephen Cheng at 2878 8117. 


Yours faithfully, 


Arthur Yuen 
Deputy Chief Executive 


